Risk and Security AnalysisPractice Name: ___________________________________

RISK ANALYSIS (R) Have you identified the

§ 164.308(a)(1)(ii)(A) EPHI within your

“Conduct an accurate and thorough organization? This

assessment of the potential risks and includes EPHI that you

vulnerabilities to the confidentiality, create, receive, maintain or

integrity, and availability of electronic transmit. Please note that

protected health information held by EPHI may be resident on

the covered entity.” computer workstations,

servers or on portable

devices such as laptops,

and PDAs.

RISK MANAGEMENT (R) What security measures are

§164.308(a)(1)(ii)(B) already in place to

“Implement security measures protect EPHI - this can be

sufficient to reduce risks and a comprehensive view of all

vulnerabilities to a reasonable and measures, whether

appropriate level to comply with administrative, physical or

§164.306(a).” technical, such as an over

arching security policy;

door locks to rooms where

EPHI is stored; or the

use of password- protected

files.

SANCTION POLICY (R) Have you developed,

§ 164.308(a)(1)(ii)(C) applied and implemented

“Apply appropriate sanctions against policies specific to

workforce members who fail to comply violations of the security

with the security policies and policies and procedures? If

procedures of the covered entity.” so, do they provide

appropriate sanctions for

workforce members who

fail to comply with your

security policies and

procedures? (i.e., have you

included your sanction

policy in your workforce

manual and trained your

staff on the policy?)

AUTHORIZATION AND/OR Are the procedures used by

SUPERVISION (A) your workforce consistent

§ 164.308(a)(3)(ii)(A) with your access policies

“Implement procedures for the (i.e., do people who should

authorization and/or supervision of have access actually have

workforce members who work with that access? Are people

electronic protected health information who should not have

or in locations where it might be access prevented from

accessed.” accessing the

information?)

PASSWORD MANAGEMENT (A) § Does your workforce

164.308(a)(5)(ii)(D) training address topics

“Implement procedures for creating, such as not sharing

changing, and safeguarding passwords with other

passwords.” workforce members or not

writing down passwords

and leaving them in open

areas?

DATA BACKUP PLAN (R) Do your procedures

§ 164.308(a)(7)(ii)(A) identify all sources of

“Establish and implement procedures EPHI that must be backed

to create and maintain retrievable up such as patient

exact copies of electronic protected accounting systems,

health information.” electronic medical or

health records, digital

recordings of diagnostic

images, electronic test

results, or any other

electronic documents

created or used that

contain EPHI?

WRITTEN CONTRACT OR OTHER Do you have contracts

ARRANGEMENTS (R) in place with outside

§ 164.308(b)(4) entities entrusted with

“Document the satisfactory assurances health information

required by this section through a generated by your

written contract or other arrangement office? If so, do the

with the business associate that meets contracts provide

the applicable requirements of assurances that the

§164.314(a) [(the Business Associate information will be

Contracts or Other Arrangements properly safeguarded?

Standard)].”

FACILITY SECURITY PLAN (A) § Do your office

164.310(a)(2)(ii) policies and

“Implement policies and procedures to procedures identify

safeguard the facility and the controls to prevent

equipment therein from unauthorized unauthorized physical

physical access, tampering, and theft.” access, tampering,

and theft of EPHI?

These could include

locked doors, signs

warning of restricted

areas, surveillance

cameras, alarms, and

identification

numbers and security

cables on computers.

MAINTENANCE RECORDS (A) Has your office

§ 164.310(a)(2)(iv) implemented policies

“Implement policies and procedures to and procedures that

document repairs and modifications to specify how repairs

the physical components of a facility and modifications to a

which are related to security (for building or facility

example, hardware, walls, doors and will be documented to

locks).” demonstrate that the

EPHI is protected?

This standard does not have Do your office policies

corresponding implementation and procedures specify the

specifications. However, compliance use of additional

with the standard itself is required (R). security measures to

protect workstations with

EPHI, such as using privacy

screens, enabling password

protected screen savers or

logging off the workstation?

DISPOSAL (R) Does your office have

§ 164.310(d)(2)(i) a method of

“Implement policies and procedures to destroying EPHI on

address the final disposition of equipment and media

electronic protected health you are no longer using?

information, and/or the hardware or For example, have you

electronic media on which it is stored.” considered purchasing hard

drive erasure software for a

planned upgrade of

office computers?

DATA BACKUP AND STORAGE Do you have a

(A) process in place to

§ 164.310(d)(2)(iv) create a retrievable,

“Create a retrievable, exact copy of exact copy of EPHI

electronic protected health before the equipment

information, when needed, before on which it is stored

movement of equipment.” is moved?

UNIQUE USER IDENTIFICATION Do you have a

(R) process in place to

§ 164.312(A)(2)(I) assign each user of

“Assign a unique name and/or your system a unique

number for identifying and tracking user identifier? If so,

user identity.” can the identifier be

used to track user

activity within

information systems

that contain EPHI?

This may or may not

be reasonable or

appropriate for a solo

clinician where access

has been granted to all

office staff.

AUTOMATIC LOGOFF (A) Do your current

§ 164.312(a)(2)(iii) information systems

“Implement electronic procedures that have an automatic

terminate an electronic session after a logoff capability to

predetermined time of inactivity.” ensure that unauthorized

users do not access data on

unattended workstations?

This standard does not have Does your system

corresponding implementation require the input of

specifications. However, compliance something known

with the standard itself is required (R). only to the person or

entity seeking access

to EPHI, (such as a

password or PIN)

prior to granting the

requested access?

ENCRYPTION (A) Based on your

§ 164.312(e)(2)(ii) required risk analysis,

“Implement a mechanism to encrypt is encryption needed

electronic protected health information to protect the

whenever deemed appropriate.” transmission of EPHI

between your office

and outside

organizations? If not,

what measures do you

have in place to

ensure the protection

of this information?

Practices and providers

might consider

password protection

of documents or files

containing EPHI

and/or prohibiting the

transmission of EPHI

via email.

Risk and Security Analysis Conducted by:

___________________________________

Printed Name

_________________________________________________

Signature Date